Data Bubble – Complaint about direct marketing

May 2015

The Direct Marketing Association had asked the Commission to consider the circumstances around the buying and selling of alleged ‘financial and medical’ data by Data Bubble. This followed articles in The Daily Mail which alleged that Data Bubble was selling or renting data on the pension and medical details of thousands of people without knowing the source of data the company was sourcing from third parties and without checking on the identity or plans of those to whom data was sold.

The investigation looked at Data Bubble’s data arrangements, how they source and gather their data, and how they ensure any data supplied is in line with regulations and collected with the appropriate consents. It also looked at the arrangements that the member had in place for selling the data to third parties and any due diligence that is undertaken.

Data Bubble co-operated fully with the DMC investigation explaining where they source data and their due diligence arrangements in relation to their customers. This included information on the company who supplied the data they were marketing as a broker and how that data was sourced. The company provided information making clear they did not seek or offer information that might be described as “medical records”.

From the responses given, and in the absence of any further materials, the Commission did not find evidence that Data Bubble’s actions and processes had breached rules of the DMA Code in relation to their responsibility for data supplied to them or for their contract for its use. The investigation did, however, highlight some issues around Data Bubble’s relationship with their data suppliers and lessons in terms of how best to deal with data that might be considered sensitive from a consumer’s point of view.

The Commission was concerned that confidentiality agreements between the broker and its suppliers meant that they could not reveal or may not know the actual source of the data they bought. Whilst Data Bubble seemingly used reliable and trusted suppliers and undertook due diligence on the data they bought and sold, in an extended value chain this was a worry as it meant there was a limit as to the assurances that could be given to buyers on the data’s provenance. This was reflected to an extent in initial uncertainty over the source of data on “ailments” that might be relevant to a business offering pension services and the extent to which Data bubble were reconciled to not getting answers on sources from their principal suppliers.

This seemed even more important when the data was deemed ‘sensitive’. Though no evidence was found that the data in this case was ‘sensitive medical data’ the Commission thought that when selling data that had a ‘heath’ angle, the member would benefit from understanding more about the specific sources of the data in order to assure buyers of its provenance. The Commission found Data Bubble had been clear in its invoice that the data provided was supplied on condition that its use was related to a pension marketing exercise. Rules on the limits applicable to the use of data were also included in the company’s terms and conditions. The Commission did, however, think a broker firm set up to trade in data should have been more alert to the potential issues with data with apparent sensitivities.

The Commission thought the case highlighted broader issues for the sector if players were unable or unwilling to provide information on the sources of data and the natures of the consents given by individuals to the use of their data. If applied as an industry “norm” this practice had serious implications for those trading in data and those using it for marketing to the general public. Public frustration is understandable when those who contact them are unable to say when and how their details were obtained and why the marketing firm believes it has their consent to make a call or send a message.

The use of confidentiality agreements or non-disclosure policies are an obvious barrier to others satisfying themselves that the data is safe to use. While the Commission did not find a compliance issue in the Data Bubble case the exercise highlighted the need to look afresh at how data is traded.